Yahoo to begin offering PGP encryption support in Yahoo Mail service

CISO Alex Stamos announces change will go into effect in the fall.

Yahoo Chief Information Security Officer Alex Stamos announced today at Black Hat 2014 that starting in the fall of this year, the purple-hued company will begin giving users the option of seamlessly wrapping their e-mails in PGP encryption. According to Kashmir Hill at Forbes, the encryption capability will be offered through a modified version of the same End-to-End browser plug-in that Google uses for PGP in Gmail.

The announcement was tweeted by Yan Zhu, who has reportedly been hired by Yahoo to adapt End-to-End for use with Yahoo Mail. Zhu formerly worked as an engineer at the Electronic Frontier Foundation, an organization that has consistently been outspoken in its call for the widespread use of encryption throughout the Web and the Internet in general.

In an interview with the Wall Street Journal, Stamos acknowledged that the introduction of encryption will require some amount of education for users to make sure their privacy expectations are set appropriately. For example, he explained that PGP encryption won’t cloak the destination of your e-mail. "We have to make it clear to people it is not [a] secret you’re emailing your priest, but the content of what you’re e-mailing him is secret," Stamos said.

Of course, nothing is stopping sufficiently motivated users from using PGP encryption with Yahoo Mail today. The problem is that without a plug-in like End-to-End, getting asymmetric key cryptography working in webmail (or in any e-mail client, for that matter) requires climbing a relatively steep learning curve. People wanting to communicate via encrypted e-mail have to be at least minimally familiar with how to exchange and manage public keys, how to keep their private keys properly secure, and how to actually encrypt and decrypt messages. Flattening that curve and turning encryption into a single-click process will go a long way toward increasing the number of people actively using encryption in e-mail.

The Wall Street Journal also brings up Lavabit, the encrypted e-mail provider that chose to go out of business last year rather than continue operating after giving the FBI the ability to decrypt its users’ messages. In Lavabit’s case, the government was able to compel the company to turn over its private SSL-TLS key, which could be used to view encrypted messages in flight between users’ computers and the Lavabit servers. With PGP encryption implemented in a browser plug-in, though, messages are encrypted before they’re transmitted, and the private keys cannot be disclosed by Yahoo because the company doesn’t possess them.

Stamos’ statement on the matter of what would happen if a government agency came calling is blunt. He characterizes Yahoo as "a multibillion-dollar company with an army of lawyers who would love to take this argument all the way to the Supreme Court."

Lee Hutchinson / Lee is the Senior Reviews Editor at Ars and is responsible for the product news and reviews section. He also knows stuff about enterprise storage, security, and manned space flight. Lee is based in Houston, TX.